Information Security Blog

What a BMW 328xi can teach you about Security Awareness Training

I (unfortunately) had to buy a new car this past month. I say unfortunately because it was a time consuming project at a time when I was already over-taxed at work. I also say unfortunately because the reason I had to buy a new car was that I totaled my previous car, with my son in the car – scary stuff. Fortunately, my son, myself, and the folks in both other cars involved in the accident were not hurt.

During my search, one of the cars I decided to test drive was a BMW 3 Series. I had never driven a BMW so I figured it was time to test the “Ultimate Driving Machine” moniker. After a test drive you could sum up my feelings in a single word: “underwhelmed”. My wife drove a Ford Contour in the late 90’s that to my recollection was as much or more a “driving machine” as the BMW was.

A week later a friend of mine who drives a 2010 BMW 328xi was incredulous when I compared his beloved car to a late 90’s Contour and insisted there must have been something wrong with the car I drove. He asked me if I put the transmission in “Sport” mode (I did) which allows you to manually shift the car. A knowing smile spread across his lips. “Did you ever just leave it in the “tiptronic” mode without shifting manually?” When I told him “No” , he tossed me his keys, “Let’s go!”

I now fully understand why it’s called the “Ultimate Driving Machine.” I was still smiling an hour later.

So what does this have to do with Security Awareness …

I am sure that BMW’s Global Sales Manager would expect that EVERY salesperson would demonstrate the “sport” driving mode of their vehicles to EVERY car buyer requesting a test ride (especially one who told the salesperson “I’m not that impressed” during the test drive). It would be interesting to know if BMW’s Sales Training explicitly calls this out, or is it one of those things that’s so obvious that they didn’t even feel it was necessary to explicitly spell it out. I would also think that BMW would have put some “controls” in place to make sure that this couldn’t happen (so that the tens of millions of dollars it spends each quarter in marketing aren’t wasted). Either they didn’t or they are not effective.

Think about your environment. What information security controls do you assume that EVERY employee knows about? For what critical controls that you have stressed to your employees do you not have any mechanisms in place to validate that they are working?

Are emails with PII/PCI/HIPAA protected data being sent to/from your clients?

Are access control “exceptions” put in place on your firewalls/applications/Identity Management that don’t follow normal approval processes? If so, not being de-provisioned in a timely manner?

Are critical business apps being pushed into production without proper security testing?

I’ll bet your dollar against my new car that the answer in most organizations to these or similar (and equally troubling) challenges is yes (ten years of security auditing experience tells me I’m drinking the (1/2 a cup of) coffee I bought with your dollar in my new non-BMW car if you take the bet).

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.